Not widely known behavior in Chrome OS may reveal user movements through wireless network logs.
By taking advantage of an advantage Guest mode In Chrome OS, the attack requires physical access to the device, but it can be executed without knowing the user’s password or accessing the login.
The error was reported by Committee on Liberatory Information Technology, Which is a collective tech group that includes several former Google employees.
A Google spokesman said: We are studying this issue, and device owners can in the meantime turn off guest mode and disable the creation of new users.
The error stems from the way Chromebooks handle their wireless network records, which show when and how the computer connects to the Internet.
Logs can be confusing to non-technical users, but they can be decrypted to reveal wireless networks that were in range of the computer.
Along with other available data, this can reveal the owner’s movements during the time period covered by the records, which could be up to seven days.
Given that Chrome OS These records are kept in unprotected memory, so they can be accessed without a password.
Simply open the Chromebook in guest mode and switch to a federated address that will show the records in local storage.
This displays all computer records, even those created outside of guest mode.
The researcher at the Electronic Frontier Foundation, (Andres Arrieta) confirmed Andrés ArrietaThe attack, he said, was of particular concern to the targeted and marginalized communities.
Although the bug won’t be of any benefit to traditional cybercriminals, it does present a privacy issue for those who are concerned about surveillance from family members or co-workers.
It is worrying because anyone with fast physical access to the device can enter as a guest and quickly take some logs and location details, Arita said.
He added: Security teams should try to better understand the potential repercussions of these errors on all users and include this in their assessment and prioritization.